Cyber regulation is changing in Australia. As governments globally grapple with the everchanging and increasingly challenging cyber landscape, Australia is poised to implement new laws and update existing regulation in order to enhance Australia’s cyber security and resilience. These changes fall within the framework established by the 2023-2030 Australian Cyber Security Strategy, which aims to make Australia a world leader in cyber security by 2030.
Scam Code Act
In light of the 601,000 scams reported by Australians in 2023 accounting for an estimated $1.3 billion in losses, it has been reported this week that the Government will introducing a new Scam Code Act.
This will require digital communications platforms, telecommunications carriers and banks to report scams as soon as they are detected, or face fines of up to AUD 50 million. The Australian Consumer & Competition Commission will be granted powers to draft mandatory codes across the three sectors, and also for individual business and platforms. It is expected that the new regime will also include requirements for:
- platforms to verify their advertisers;
- banks to warn customers if they attempt to make a transfer to an account that is identified as fraudulent;
- carriers to take certain measures to prevent scams being spread by SMS;
- companies designated by the ACCC to establish internal dispute resolution processes to hear complaints from customers and consider refunds; and
- all companies to maintain a “scams defence plan” to assist customers.
It is expected that the legislation will be tabled in parliament later this year, and we will keep you updated as more information is released about the proposed legislation.
Other cyber security measures
As a further rollout of the 2023-2030 Australian Cyber Security Strategy, the Australian Government has consulted on a range of proposed new cyber security legislation. In order to combat existing gaps in regulation, consultation was sought on the following proposed measures:
- mandating a security standard for consumer-grade smart devices, to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;
- creating a no-fault, no-liability ransomware reporting obligation to improve collective understanding of ransomware incidents across Australia,in order to counteract the limited visibility over the amount of ransoms paid by Australian organisations. The laws are proposed to apply to businesses with an annual turnover of more than $3 million and include fines for failure to disclose;
- creating a ‘limited use’ obligation to clarify how the Australian Signals Directorate and the Cyber Coordinator may use information voluntarily disclosed to them during a cyber incident, in order to encourage industry to collaborate with the Government as part of an incident response; and
- establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve Australia’s national cyber resilience.
The Government received 130 submissions as part of the consultation, which closed on 1 March 2024. We will keep you updated on the outcome of the consultation.